How to troubleshoot sign-in issues in Lync Online

Article ID: 2541980 - View products that this article applies to.
If you are a Small Business customer, find additional troubleshooting and learning resources at the Support for Small Business
(http://smallbusiness.support.microsoft.com)
site.

Not sure what release of Office 365 you're using? Go to the following Microsoft website:
Am I using Office 365 after the service upgrade?
(http://office.microsoft.com/redir/HA103982331.aspx)
Expand all | Collapse all

On This Page

INTRODUCTION

This article describes how to troubleshoot sign-in issues that may occur when you use Microsoft Lync Online. 

The first thing to do when you troubleshoot a connectivity or authentication issue is to scope the problem effectively. Ask the questions listed in this article, and try to match the error message that's received in Microsoft Lync 2010 or Microsoft Lync 2013 to a user issue, network issue, or computer issue. When you troubleshoot Microsoft Office 365 sign-in issues, start by scoping the problem according to the following categories. Thoroughly document your findings. 

Back to the top | Give Feedback

PROCEDURE

Scope the sign-in problem

When you troubleshoot Office 365 sign-in issues, start by scoping the problem according to the following categories. Find out whether the issue affects multiple users, multiple client computers, or both. Find out which applications the user or users can't sign in to. Use the following table to help scope the issue. 

Collapse this tableExpand this table
IssueA single userA single userMultiple usersMultiple users
on one computer onlyon multiple computerson one computer onlyon multiple computers
Can't sign in to the Office 365 portalClient issueIdentity or Windows Azure Active Directory (Windows Azure AD) issueClient issueIdentity or Windows Azure AD issue
Can't sign in to Lync Online but can sign in to the Office 365 portalClient issueNetwork or Lync Online service issueClient issueNetwork, Lync Online service or Windows Azure AD issue
Can't sign in to either the Office 365 portal or Lync OnlineClient issueIdentity or Windows Azure AD issueClient issueIdentity or Windows Azure AD issue
You can use this table to narrow the Lync sign-in problem to a certain category. This correlates to the Type column in the table that appears later in this article. The following is an example of how to read this table.

A single user (but not multiple users) can't sign in to the Office 365 portal from multiple computers. This is usually caused by an identity issue or an issue with Windows Azure AD.
Each column in this table is mutually exclusive. That is, the issue affects either a single user or multiple users. And, the issue can be reproduced either on one computer or on multiple computers.

Lync Online sign-in error messages

After you scope the problem by using the table that appears earlier in this article, use either the Error message or Type column in the following table to narrow the troubleshooting steps.  
Collapse this tableExpand this table
Error messageCauseTypeResolution
Cannot sign in because the server is temporarily unavailable. If the problem continues, please contact your support team.
No Domain Name System (DNS) record. Autodiscover fails.NetworkSee Fix DNS and network related sign-in problems
Lync couldn’t find a Lync Server for contoso.com.  There might be an issue with the Domain Name System (DNS) configuration for your domain.  Please contact your support team.
No Domain Name System (DNS) record. Autodiscover fails.NetworkSee Fix DNS and network related sign-in problems
Cannot sign in to Lync because this sign-in address was not found. Please verify the sign-in address and try again. If the problem continues, please contact your support team.
User isn't licensed for Lync Online.Identity/authenticationSee Fix user identity and Windows Azure AD issues in Lync Online
Cannot sign in to Lync. You may have entered your sign-in address, user name, or password incorrectly, or the authentication service may be incompatible with this version of the program. If your sign-in information is correct and the problem persists, please contact your system administrator.
Wrong version of the Lync 2010 or Lync 2013 clientClient See Fix Lync client-side issues
To sign in, additional software is required. Download and install now?
The Microsoft Online Services Sign In Assistant isn't installed on the computer that has Lync 2010 installed.Client See Fix Lync client-side issues
The username, password or domain appears to be incorrect. Ensure that you entered them correctly. If the problem continues, please contact your support team.
Wrong user name, sign-in address , or passwordIdentity/authenticationSee Fix user identity and Windows Azure AD issues in Lync Online
The server is not responding or cannot be reached. Sign-in may be delayed while we retry the connection.
Can't contact the authentication service. Active Directory Federation Services (AD FS) 2.0 or Windows Azure AD isn't available.Identity/authenticationSee Fix user identity and Windows Azure AD issues in Lync Online
There was a problem acquiring a personal certificate required to sign in. If the problem continues, please contact your support team.
Certificate errorClient See Fix Lync client-side issues
There was a problem verifying the certificate from the server. Sign-in may be delayed while we retry the connection.
Can't verify the certificate chain from the AD FS 2.0 serverIdentity/authenticationSee Fix user identity and Windows Azure AD issues in Lync Online

Fix Lync client-side issues

To resolve most client-side issues, start by making sure that the computer meets the minimum system requirements for both Lync 2010 or Lync 2013, in addition to Office 365. Additionally, make sure that all the necessary applications are configured correctly and are up to date.
  1. Check to make sure that the computer meets all the requirements:
  2. If you're using Windows XP or Windows Vista, install the latest version of the Lync 2010 client from the Office 365 portal.
    • Run Office 365 Desktop Setup after you install Lync 2010. Office 365 Desktop Setup tells you whether your computer meets the minimum system requirements for Office 365. It also installs software and updates that are required to connect to Office 365. 
  3. If you're using Windows 7 or Windows 8, install the latest Lync 2013 client from the Office 365 portal by installing the latest version of Microsoft Office. 
  4. After you install the latest version, enable automatic updating on the computer to make sure that Lync and Office are always up to date. Or, go to the Microsoft Update 
    (http://update.microsoft.com)
    website regularly to install the latest updates.
  5. If you still can't sign in, go to the next section to delete sign-in information.
()


Delete sign-in information for Lync 2013

When Lync 2013 signs in successfully, and you selected the Save my password check box, Lync 2013 caches your credentials and other information about its connection to Lync Online. If you have problems signing in to Lync Online with your cached credentials, click Delete my sign-in information and Lync 2013 will automatically remove any saved password, certificates, and connection settings for the user account.

Collapse this imageExpand this image



Delete sign-in information for Lync 2010

When Lync 2010 connects to a specific front-end server, it caches that endpoint to make the sign-in process faster in the future. However, sometimes the endpoint can be changed. This can cause sign-in to fail. To delete the endpoint cache, view the following article in the Microsoft Knowledge Base:
2698626
(http://support.microsoft.com/kb/2698626/ )
Error message when you try to sign in to Lync 2010 after a network outage or a Lync Online service outage: "Cannot sign in to Lync"

Fix certificate-related errors in Lync

When the Lync client can't obtain a personal certificate, there are potentially multiple reasons for the error. For more information about the reasons why a user may receive this error message when they sign in to Lync Online, view the following article in the Microsoft Knowledge Base: 
2604176
(http://support.microsoft.com/kb/2604176)
Error message when an Office 365 user tries to sign in to Lync Online: "There was a problem acquiring a personal certificate required to sign in"

If the issue isn't fixed after you follow the steps for resolving client-side issues, go to the next section to fix DNS and network issues that can prevent Lync from signing in.

Fix DNS and network-related sign-in problems

Automatic configuration should detect the correct servers to which the user should connect. If you sign in by using a custom domain (such as joe@contoso.com), there are certain DNS records that must be added to the domain's DNS host for automatic configuration to work. 

Depending on the specific network through which Lync 2013 is connecting, certain IP ranges and ports may have to be opened for authentication to succeed. For more information about Lync Online network requirements through a firewall or a proxy, view the following article in the Microsoft Knowledge Base: 
2409256
(http://support.microsoft.com/kb/2409256/ )
You can't connect to Lync Online, or certain features don't work, because an on-premises firewall blocks the connection

Bypass Lync Autodiscover and DNS resolution

The Lync client can be set to use manual configuration to determine whether the sign-in issue is related to DNS resolution issues. If manual configuration works and automatic configuration doesn't work, it usually indicates a problem with DNS resolution. This usually occurs because the DNS SRV records aren't present or are inaccessible from the client computer. To set Lync to use manual configuration, follow these steps:
  1. In the upper-right area of Lync, click the Gear icon to open the Options page.
  2. In the Lync - Options dialog box, click Personal.
  3. Next to the sign-in address, click Advanced.
  4. Make sure that Manual Configuration is selected and that the configuration values are exactly as follows:
    • Internal server name or IP address: sipdir.online.lync.com:443
    • External server name or IP address: sipdir.online.lync.com:443
Important If manual configuration works but automatic configuration still fails, the issue isn't resolved. Follow the steps in the following article in the Microsoft Knowledge Base to confirm that the correct Autodiscover records exist:
2566790
(http://support.microsoft.com/kb/2566790/ )
Troubleshooting Lync Online DNS configuration issues in Office 365
If both manual and automatic configurations fail, there might be a firewall blocking the connection to Lync Online. For more information, see the following resources:
  • 2409256
    (http://support.microsoft.com/kb/2409256 / )
     You can't connect to Lync Online, or certain features don't work, because an on-premises firewall blocks the connection
  • Office 365 Blog
    (http://community.office365.com/en-us/w/lync/ensuring-your-network-works-with-lync-online.aspx)
    : Make sure that your network works with Lync Online
Back to the top | Give Feedback

 Fix user identity and Windows Azure AD issues in Lync 2013  

Resolving issues that are involved with a user's identity or Windows Azure AD can be difficult. The process involves scoping the issue to a specific point of failure. Work through all the following questions and tests before you decide what the cause of the failure might be.
  1. Test: Can the user sign in to the Office 365 portal?
    • No. If the user can't sign in to the Office 365 portal or any other Office 365 services, the problem is directly linked to the user's identity or Windows Azure AD. In this case, the problem isn't caused by Lync Online and must be looked at by Office 365 technical support.
    • Yes. If the user can sign in to the Office 365 portal but can't sign in to Lync Online, go to the next step.
  2. Question: Is the user licensed for Lync Online?
    • No. In the Office 365 portal, make sure that the user has a Lync Online license. After the user is assigned a license, wait at least 30 minutes, and then make sure that the user is listed in the Lync Online Administration Center. If the user is listed, it means the Lync Online service has created and configured a Lync Online account for the user.
    • Yes. If the user definitely has a Lync Online license, there may be other reasons that the user can't sign in to Lync Online. Go to the next step.
  3. Question: Is the organization synchronizing their on-premises Active Directory schema with Office 365 by using the Windows Azure Active Directory Sync Tool?
    • No. Go to the next step
    • Yes. If the customer previously had a Lync Server or Office Communications Server deployed on-premises, there may be attributes that are preventing Lync Online users from being correctly provisioned. Check the user in the Active Directory schema, look for the msRTCSIP-UserEnabled attribute, and verify that this attribute is set to true. 

      For more information, view the following article in the Microsoft Knowledge Base: 
      2705378
      (http://support.microsoft.com/kb/2705378/ )
      Error message when you try to sign in to Lync Online: "Cannot sign in to Lync because this sign-in address was not found"
  4. Question: Is the user enabled for enterprise single sign-on (SSO) through an on-premises AD FS 2.0 server?

    Hint: One quick way to determine whether the user is enabled for SSO is to have the user try to sign in to the Office 365 portal. Have the user enter their user name, and then press the Tab key to move to the Password box. If the user receives a “You are now required to sign in at <Domain>” message, and if a link to sign in through the company’s AD FS 2.0 server appears, the user is enabled for SSO.
    • No. If the user isn't SSO enabled, follow the steps in the Fix Lync client-side issues section.
    • Yes. If the user is SSO enabled, there may be a problem with the setup of the on-premises AD FS 2.0 server. There are some tests that you can perform to determine whether this is the case. Go to the next step.
  5. Question: Can another SSO-enabled user from the same organization sign in to Lync Online?
    • No. This indicates a larger problem with the organization’s identity authentication system. Go to the next step.
    • Yes. This indicates a single user identity issue that must be looked at by Lync Online technical support. If you haven't gone through steps to exclude client issues, see Fix Lync client-side issues.
  6. Question: Can a user who isn't SSO-enabled sign in to Lync Online?
    • No. If users who are SSO-enabled and users who aren't SSO-enabled can't sign in to Lync Online, there might be a service-related issue with Lync Online. Check the service health dashboard in Office 365 to see whether there are any outages for Lync Online. If there are no outages, and if no users can sign in to Lync Online, make sure that it isn't a Network- or DNS-related issue, and then contact Lync Online technical support.
    • Yes. Go to the next step.
  7. Test: If the user is licensed to use Office ProPlus, try to install and activate a copy of Office 365 ProPlus. If the user is an admin, they can also test rich client authentication by using the Windows Azure Active Directory Module for Windows PowerShell to try to connect to the Office 365 PowerShell service. Can the user sign in to services by using rich client authentication?
    • No. If rich client authentication isn't working for any Office 365 service, there's probably an issue with the company’s setup of AD FS 2.0. The setup should be looked at by Microsoft Office 365 technical support for SSO issues.
    • Yes. If rich client authentication is working for other Office 365 services, go to the next step.
  8. Test: Try to access the company’s AD FS 2.0 WS-Metadata Exchange (MEX) document to confirm that rich clients such as Lync can authenticate through the company’s on-premises authentication system. Open Internet Explorer and browse to the MEX URL. The MEX URL usually has a format that resembles the following:
    https://sts.contoso.com/adfs/services/trust/mex
    Is the document successfully displayed in a web browser?
    • No. If the MEX document isn't available through the web browser, the user will be unable to authenticate through any rich clients. This explains why the user can sign in to the Office 365 portal and probably also Exchange Online but can't sign in to Lync Online. The Office 365 portal and Exchange Online both use simple authentication instead of rich client authentication. If this is the case, the issue should be looked at by Office 365 technical support for SSO issues.

      For an AD FS 2.0 hotfix that may resolve this issue, view the following article in the Microsoft Knowledge Base: 
      2254265
      (http://support.microsoft.com/kb/2254265/ )
      The "500" error code is returned when you send an HTTP SOAP request to the "/adfs/services/trust/mex" endpoint on a computer that is running Windows Server 2008 R2 or Windows Server 2008
    • Yes. If the user can access the MEX document from a web browser, they should also be able to sign in to other Office 365 services by using rich client authentication. Services such as Lync 2013, Office ProPlus, and the Windows Azure Active Directory Module for Windows PowerShell use the Microsoft Online Services Sign In Assistant to authenticate through rich client authentication. Go to the next step.
Back to the top | Give Feedback

Next steps, if the issue isn't resolved

If the problem persists, create a MOSDALREPORT file, and then contact Office 365 technical support. To do this, follow these steps:
  1. Download and then install the Microsoft Online Services Diagnostic and Logging (MOSDAL) Support Toolkit from the following Microsoft website:
    http://www.microsoft.com/download/en/details.aspx?id=626
    (http://www.microsoft.com/download/en/details.aspx?id=626)
  2. Run the MOSDAL Support Toolkit, select IM and Online Meetings with Lync Online from the list of Office 365 services, and then click Next.
  3. Enter your user ID and password, and then click Next. Your user ID and password aren't saved by MOSDAL and are only used to diagnose potential sign-in problems.
  4. On the next screen, restart Lync 2013, and then reproduce the issue by trying to sign in to Lync Online.
  5. When MOSDAL finishes collecting data, click Exit and Show Files, and then contact Office 365 tecnical support.

Diagnose authentication issues by using MOSDAL and Snooper

The tools that you have to have are as follows:To diagnose authentication issues by using MOSDAL and Snooper, follow these steps:
  1. Collect data to analyze.

    Follow the steps that are described earlier in this article to download and install the MOSDAL Support Toolkit, and then generate a report that's compiled into a file that's named MOSDALREPORT.zip.
  2. Examine the Lync log files.
    1. Open the MOSDALREPORT.zip file, and then open the User_Applications\Lync folder.
    2. Use Snooper to open the file that's named Communicator-uccapi-0.uccapilog.

      Collapse this imageExpand this image
    3. On the Messages tab, look for the authentication attempt. This is indicated by "REGISTER sip:contoso.com SIP/2.0."

      Collapse this imageExpand this image


      Directly under the authentication attempt is the server's response to your authentication attempt. In this example, the server's response is SIP/2.0 401 Unauthorized.

      On the right side of Snooper, additional detail is provided from the SIP header. The MS-Client-Diagnostics field will sometimes contain additional information about the failure, as shown in the following example.

      Collapse this imageExpand this image
  3. Examine the network diagnostics.
    • Name resolution in DNS
      1. Open the MOSDALREPORT.zip file. Under Network_Tests, locate the NsLookup folder, and then locate the O365_NSLookup folder.
      2. Look for an open a file that's named "nslookup sipdir.online.lync.com.txt" to verify that you can resolve sipdir.online.lync.com in DNS.

        Collapse this imageExpand this image
      3. If the fully qualified domain name (FQDN) is resolvable in DNS, you see the DNS server from which you obtained the response. This is followed by the FQDN and the IP address to which it resolves in DNS. If the DNS server can't resolve the name, contact the IT administrator, because this indicates that there's most likely a configuration issue with the internal DNS server.
    • Ports that are open in the firewall or proxy
      1. Open the MOSDALREPORT.zip file. Under Network_Tests, locate the PortQry folder, and then locate the O365_Port_Queries folder.
      2. Look for and then open a file that's named "PortQry.exe -n sipdir.online.lync.com -p both -e 443.txt" to check the status of port 443. This port must be open for Lync Online to work correctly.

        Collapse this imageExpand this image


        The file indicates whether port 443 is open to TCP and UDP traffic. Be aware that for Lync Online, we are concerned only with TCP. Next to the line that says TCP port 443 (https service), look for the word LISTENING. This indicates that the port is open from the client computer's perspective.

Back to the top | Give Feedback

Still need help? Go to the Office 365 Community
(http://community.office365.com/)
website.
Back to the top | Give Feedback

Properties

Article ID: 2541980 - Last Review: May 31, 2013 - Revision: 50.0
Applies to
  • Microsoft Office 365 for enterprises (pre-upgrade)
  • Microsoft Office 365 for small businesses  (pre-upgrade)
  • Microsoft Office 365 for education  (pre-upgrade)
  • Microsoft Lync Online
Keywords: 
o365 mosdal4.5 o365a o365e o365p kbgraphxlink o365m o365062011 pre-upgrade o365022013 after upgrade KB2541980
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top